-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/22/2012 12:34 PM, Bruno Wolff III wrote: > I remember that once apon a time there was a boolean (or at least a > setting in system-config-selinux) that would block root from using > setenforce to change from enforcing to permissive mode. > > I can't seem to find it now on F17. I haven't figured out the > correct combo to find this via google. > > I tested the secure_mode boolean, but that didn't appear to work. > Nothing else in the list looked like it would block changing to > permisive mode. > > Is this setting gone now? If not can someone point me to what it is > or documentation about it? > > Thanks. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > > You need to turn off unconfined_t user to make this work, especially as root, and then use sysadm_t. # semanage boolean -l | grep secure secure_mode (off , off) disallow programs, such as newrole, from transitioning to administrative user domains. secure_mode_policyload (off , off) prevent all confined domains from loading policy, setting enforcing mode, and changing boolean values. Set this to true and you have to reboot to set it back secure_mode_insmod (off , off) disallow programs and users from transitioning to insmod domain. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9FNQ8ACgkQrlYvE4MpobPM0gCfe+L1uMnUc5J93H+uA8fd3LFQ ttkAoOAyCPvArDqX0+L2GYqsyAN36XqK =KTaX -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
